Use a smartphone? You may want to read this

The security threat to mobiles has just stepped up.

By Lia Timson in San Francisco

Phone crashing regularly? Strange SMS bothering you for an update or a juicy link? It's time to wise up to mobile malware.

Security experts have shown that iPhones and Android phones are vulnerable to the same type of "drive-by" attacks that have long plagued PC users.

Co-author of Hacking Exposed, George Kurtz.Credit:Fairfax and Bloomberg

A team of researchers infected a Google Android smartphone on Wednesday, live, in front of a packed audience of computer security buffs to prove how mobile malware is now on the cusp of the big time, after so many years of unfulfilled predictions.

George Kurtz, co-author of Hacking Exposed, former McAfee security champion and now at the helm of CrowdStrike alongside former McAfee leading researcher Dmitri Alperovitch, demonstrated how the team designed a smartphone remote access tool (RAT) and eavesdrop operation.

Advertisement

They then set about buying the necessary items to make it happen, later coding, then executing the attack on their demo phone.

"We believe we are here today and on the cusp of what we're going to see in the future. If you think of what a smartphone has the capability to do, it's the ultimate spying tool. Always powered on, always connected, travels around with us at all times," Kurtz began.

"If you haven't figured out privacy is dead, this is going to do it for you."

The scenario was a competitor wanting to intercept calls and text messages on Kurtz's phone and the attack was Webkit-based. Webkit is a tool used by Apple, Google and RIM to render HTML websites in Safari, Chrome and Android, and the latest versions of the BlackBerry, respectively.

The team bought 20 Webkit vulnerabilities – or bugs - in the underground for $US1400, spent approximately $US14,000 developing the malware code ("weaponisation phase") and engineering root access, as well as building their own command and control centre to be able to harvest the fruits of their exploits.

The attack followed several steps: the first was a text message delivered to the smartphone appearing to come from the mobile carrier requesting a system update via a link. Once clicked, the drive-by link delivered the first part of the malware to the phone to elevate access (root) privilege, then cause it to crash.

It then automatically rebooted, executing the second part of the malware and hijacking the phone's communications.

When Kurtz made a call to Alperovitch, the audience could hear the live conversation – as well as what was said before the call connected. On the command and control centre's screen, a map positioned Kurtz and Alperovitch's locations, the start of transmission, and the text of a subsequent text message Alperovitch sent Kurtz.

They said the attack did not require a phone be jailbroken and would work on any of the devices using Webkit – although this particular code was customised for the Adroid 2.2 (Froyo) version.

Kurtz told Fairfax Media such an attack would be possible on the iPhone because of the root access obtained via the browser vulnerability.

"We would have to get code execution via the browser, then escalate our privilege to root and totally bypass the app store [as we did] with Android.

"This is the point we are making: drive-by attacks will hit the phone just like the PCs," he said.

But he said he didn't want the audience to develop a bout of paranoia.